unbound replaces CNAME query with A query?
pemensik at redhat.com
Fri Mar 31 11:01:28 UTC 2023
I am using dnssec-trigger-0.17-7.fc36.x86_64 and
unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the
behaviour, even if I flush cache by "unbound-control flush_zone ." It is
returning consistently CNAME with NOERROR. Does it happen only when the
unbound does not have forwarders and is iterating itself? I keep getting
CNAME with NOERROR.
$ kdig cnametest.bleve.fi. CNAME
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33690
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; cnametest.bleve.fi. IN CNAME
;; ANSWER SECTION:
cnametest.bleve.fi. 7200 IN CNAME nxdomain.foobar.fi.
;; Received 66 B
;; Time 2023-03-31 12:58:20 CEST
;; From 127.0.0.1 at 53(UDP) in 0.5 ms
Does it happen only after unbound is fresh started? Are there steps to
reproduce on the running instance?
On 3/31/23 10:17, Tuomo Soini via Unbound-users wrote:
> On Thu, 30 Mar 2023 23:28:37 +0200
> Christoph via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>> Hi Petr,
>> thanks for your reply and your questions.
>> Petr Menšík via Unbound-users:
>>> Correct me if I understand it not correctly. whether you query CNAME
>>> or A record should not make a difference in NXDOMAIN status. But in
>>> any case the answer is not there. How does it change ACME process
>>> when there is NXDOMAIN and not just no-answer NOERROR response?
> There really seem to be issue in unbound when querying cname.
> I created test record, pointing at another domain, non-exiting name.
> kdig cnametest.bleve.fi. CNAME
> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 46683
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; cnametest.bleve.fi. IN CNAME
> ;; AUTHORITY SECTION:
> bleve.fi. 3462 IN SOA
> foo-ns.foobar.fi. hostmaster.foobar.fi. 1679142493 28800 7200 864000
> ;; Received 97 B
> ;; Time 2023-03-31 11:13:51 EEST
> ;; From 2001:998:2e::1 at 53(UDP) in 0.8 ms
> If I query from authoritative server directly, I get correct answer.
> It looks like unbound errorously try to follow cname to non-existing
> record even when cname itself is queried. CNAME should only be followed
> if something != cname is queried.
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
More information about the Unbound-users